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(202) 224-5244 November 16, 2017 


Rob Joyce 

Cybersecurity Coordinator 

The White House 

1600 Pennsylvania Avenue Northwest 
Washington, DC 20500 


Dear Mr. Joyce: 


I am writing to urge you to take prompt action to protect federal computer networks from 
cyberattacks perpetrated by foreign state actors and criminals by requiring agencies to block the 
delivery of malware-laden internet-based advertisements to their employees’ work computers. 


Malware is increasingly delivered through code embedded in seemingly innocuous . 
advertisements online. Individuals do not even need to click on ads to get infected: this malicious 
software, including ransomware, is delivered without any interaction by the user. During the past 
few years, criminals have repeatedly delivered malware to American visitors to major news 
websites, social media, and streaming services by placing their malicious code in ads purchased 
through online advertising networks. Among other things, malware can steal, modify, or wipe 
sensitive government data, or remotely record conversations by remotely enabling a computer’s 
built-in microphone. 


According to recent media reports, Russia attempted to distribute malware-laden internet 
advertisements to at least one state election agency in August 2016. Although the vast majority 
of internet advertisements are legitimate, the fact that hostile actors can remotely target and 
potentially infect the computers of U.S. government employees means that this cyber threat 
vector can no longer be ignored. Using targeted ads, it is simply far too easy for foreign 
governments to deliver malicious code directly to the computers of government employees. 


While the online advertising industry plays a vital role in the economics of the internet 
ecosystem, the threat posed by ad-delivered malware cannot be ignored. Indeed, several federal 
agencies have already recognized the serious nature of this cyber threat and, as a result, instituted 
network-based ad blocking. To that end, I ask that you do the following: 


e Begin discussions with the online advertising industry and direct them to develop a plan 
within the next 180 days to ensure that online advertising networks cannot be used by 
foreign governments and criminals to deliver malware to U.S. government computers. 


911 NE 11TH AVENUE 405 EAST 8TH AVE SAC ANNEX BUILDING U.S. COURTHOUSE THE JAMISON BUILDING 707 13TH ST, SE 

SUITE 630 SUITE 2020 105 FIR ST 310 WEST 6TH ST 131 NW HAWTHORNE AVE SUITE 285 

PORTLAND, OR 97232 EUGENE, OR 97401 SUITE 201 ROOM 118 SUITE 107 SALEM, OR 97301 

(503) 326-7525 (541) 431-0229 LA GRANDE, OR 97850 MEDFORD, OR 97501 BEND, OR 97701 (503) 589-4555 
(541) 962-7691 (541) 858-5122 (541) 330-9142 


HTTP://WYDEN.SENATE.GOV 
PRINTED ON RECYCLED PAPER 


e After 180 days, if you are not completely confident that the advertising industry will 
effectively address this cyber threat, direct the Department of Homeland Security to issue 
a Binding Operational Directive requiring federal agencies to block the delivery to 
employees’ computers of all internet ads containing executable computer code. 


I appreciate your attention to this important matter. If you have any questions, please contact 


Chris Soghoian on my staff at (202) 224-5244. 


Sincerely, 


lpn Wyb 


Ron Wyden 
United States Senator 


CC: Christopher Krebs, Assistant Secretary for Infrastructure Protection, Department of 
Homeland Security 


